On April 30, 2020, the French data protection authority, the CNIL, published a guidance surrounding considerations behind what it calls “commercial prospecting,” meaning scraping publicly available website data to obtain individuals’ contact info for purposes of selling such data to third parties for direct marketing purposes.  The guidance is significant in two respects.  First, it speaks to the CNIL’s view of this activity in the context of the GDPR and privacy concerns.  Second, beyond the context of direct marketing related privacy issues, the guidance lays out some guiding principles for companies that conduct screen scraping activities or hire outside vendors to collect and package such data.

Privacy Concerns

Based on its investigation into commercial prospecting, the CNIL guidance noted that some entities are scraping individuals’ phone contact information posted on online directories or listings, even though such individuals may not have given consent for such collection and subsequent reuse for marketing solicitations. The guidance states that although such contact information is from publicly accessible websites, the individuals who posted the information did not reasonably expect to have it scraped for “prospecting,” and as such, the contact information is still “personal data” under the GDPR and cannot be re-used for marketing without the consent of the data subject.

The guidance notes that such consent should be obtained prior to any reuse of the data for marketing purposes and must be freely given, specific, informed and unambiguous. The CNIL states that the acceptance of the terms of general conditions mentioning that the individual accepts to receive marketing communications is insufficient, as it not specific. In addition, the CNIL notes, the individuals’ rights under the GDPR must also be complied with, such as the right for an individual to oppose to the processing of their data and the need to provide appropriate information to the individual as to the processing of their data (the business reusing the data should in principle make a privacy policy available to the concerned individuals).

With the release of this guidance, the French data protection agency (a “DPA”) has quietly confirmed that web scraping involving the collection of personal data, even from publicly available websites, implicates the need to conform with the GDPR and requires that companies (and their vendors) perform needed compliance.  This is not the first time that a European DPA has investigated data scraping activities.  In March 2020, the Polish DPA issued its first fine under the GDPR against Bisnode, a Swedish-headquartered company that specializes in business intelligence and data analytics. Apparently, Bisnode had scraped data from publicly available government databases about individuals’ prior registrations as sole proprietors and other related corporate activities and produced certain reports for its clients.  To fulfill certain requirements under the GDPR, Bisnode had sent emails to affected individuals with known addresses (and posted notices on its website), but it failed to send postal notification to millions of other individuals or entities due to the administrative cost and burden of doing so.  The Polish DPA issued a fine for such a violation. Instead of complying with mailing millions of notices, Bisnode reportedly stated it would delete the data at issue, and appeal the Polish DPA’s order.  Regardless of the outcome, data scraping is something that EU regulators are beginning to keep an eye on.

General Concerns About Scraping

As we’ve stated on multiple occasions, it is important for downstream recipients of anonymized web or user data or analytic reports breaking down such data to understand how such data is collected and processed and whether such data collection is done according to applicable law or contractual requirements.  Putting aside the GDPR issues, the CNIL guidance is a timely reminder to those entities engaged in web scraping about the importance of due diligence with respect to the data collection.  The guidance also laid out some guiding principles for companies that conduct screen scraping activities or hire outside vendors to collect and package such data:

  • Understand the duration of the web scraping and data processing activities
  • Know the origin of the scraped data and whether the website from which the data is collected restricts its collection and commercial reuse
  • Minimize the collection of personal data, and refrain from collecting any data that is irrelevant for the expected purpose of the data extraction
  • Inform individuals affected by the collection of any personal data
  • Carefully oversee vendor relationships concerning the nature of the data processing and any privacy and data security obligations. The CNIL suggests that service contracts should comply with certain GDPR requirements and, among other things, should specifically outline the nature of the data collection activities, including the purpose of the processing and the types of personal data collected (if any).
  • Conduct a data protection impact assessment (DPIA), if appropriate
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Stéphanie Martinier Stéphanie Martinier

Stéphanie Martinier is a partner in the Corporate Department, working in the Paris office.

Stéphanie advises French and international clients on the legal aspects of their investments in France. She has worked on a wide range of corporate transactions, including business acquisitions and…

Stéphanie Martinier is a partner in the Corporate Department, working in the Paris office.

Stéphanie advises French and international clients on the legal aspects of their investments in France. She has worked on a wide range of corporate transactions, including business acquisitions and sales (both for industrial clients and private equity funds), and joint ventures, and has been involved in the negotiation of sensitive commercial contracts. In addition, she has built long-term relationships with her clients advising them in this context on compliance with the General Data Protection Regulation (GDPR) and other French data privacy regulations.

Stéphanie has also developed expertise in the restructuring of corporate groups, in the negotiation of management packages and in dealing with the corporate aspects of the departure of top executives.

In addition, she manages the pro bono work of the Paris office and, as part of this commitment, provides training on the legal aspects of the creation of a business to young entrepreneurs through the program run by the not-for-profit Yes Akademia.

Stéphanie attended law school in both France and the United States, receiving a master of law from University Lyon III and a LL.M from University of Minnesota. She is licensed to practice law in France and New York, and has been with Proskauer since she graduated.

Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise…

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law discipline, Jeff continues to lead on a range of business-critical transactions involving the use of emerging technology and distribution methods. For example, Jeff has become one of the foremost private practice lawyers in the country for the implementation of blockchain-based technology solutions, helping clients in a wide variety of industries capture the business opportunities presented by the rapid evolution of blockchain. He is a member of the New York State Bar Association’s Task Force on Emerging Digital Finance and Currency.

Jeff counsels on a variety of e-commerce, social media and advertising matters; represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements; advises on the implementation of biometric technology; and represents clients on a wide range of data aggregation, privacy and data security matters. In addition, Jeff assists clients on a wide range of issues related to intellectual property and publishing matters in the context of both technology-based applications and traditional media.

Photo of Jonathan Mollod Jonathan Mollod

Jonathan P. Mollod is an attorney and content editor and a part of the firm’s Technology, Media and Telecommunications (TMT) Group. Jonathan earned his J.D. from Vanderbilt Law School. He focuses on issues involving technology, media, intellectual property and licensing issues and general…

Jonathan P. Mollod is an attorney and content editor and a part of the firm’s Technology, Media and Telecommunications (TMT) Group. Jonathan earned his J.D. from Vanderbilt Law School. He focuses on issues involving technology, media, intellectual property and licensing issues and general online/tech law issues of the day.